jose

package module
v2.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2023 License: Apache-2.0 Imports: 30 Imported by: 0

README

krakend-jose

JOSE component for the KrakenD framework

Modified by: DKolibar

Documentation

Index

Constants

View Source 
const (
	ValidatorNamespace = "github.com/DKolibar/krakend-jose/validator"
	SignerNamespace    = "github.com/DKolibar/krakend-jose/signer"
)

Variables

View Source 
var (
	ErrInsecureJWKSource = errors.New("JWK client is using an insecure connection to the JWK service")
	ErrPinnedKeyNotFound = errors.New("JWK client did not find a pinned key")
)
View Source 
var (
	ErrNoValidatorCfg = errors.New("no validator config")
	ErrNoSignerCfg    = errors.New("no signer config")
)
View Source 
var (
	ErrNoKeyFound = errors.New("no Keys have been found")
	ErrKeyExpired = errors.New("key exists but is expired")

	// Configuring with MaxKeyAgeNoCheck will skip key expiry check
	MaxKeyAgeNoCheck = time.Duration(-1)
)
View Source 
var DefaultEnabledCipherSuites = []uint16{
	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

	tls.TLS_AES_128_GCM_SHA256,
	tls.TLS_AES_256_GCM_SHA384,
	tls.TLS_CHACHA20_POLY1305_SHA256,
}

DefaultEnabledCipherSuites is a collection of secure cipher suites to use

Functions

func CalculateHeadersToPropagate 

func CalculateHeadersToPropagate(propagationCfg [][]string, claims map[string]interface{}) (map[string]string, error)

func CanAccess 

func CanAccess(roleKey string, claims map[string]interface{}, required []string) bool

func CanAccessNested 

func CanAccessNested(roleKey string, claims map[string]interface{}, required []string) bool

func CompoundX5TKeyIDGetter 

func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string

CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t

func CompoundX5TTokenKeyIDGetter 

func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t

func CustomFieldsMatcher added in v2.2.0 

func CustomFieldsMatcher(claims map[string]interface{}, wantedFields map[string]string) bool

func DecodeFingerprints 

func DecodeFingerprints(in []string) ([][]byte, error)

func DefaultKeyIDGetter 

func DefaultKeyIDGetter(key *jose.JSONWebKey) string

DefaultKeyIDGetter returns the default kid as JSONWebKey key id

func DefaultTokenKeyIDGetter 

func DefaultTokenKeyIDGetter(token *jwt.JSONWebToken) string

DefaultTokenKeyIDGetter returns the default kid as the JSONWebKey key id

func NewSigner 

func NewSigner(cfg *config.EndpointConfig, te auth0.RequestTokenExtractor) (*SignerConfig, Signer, error)

func NewValidator 

func NewValidator(signatureConfig *SignatureConfig, ef ExtractorFactory) (*auth0.JWTValidator, error)

func ScopesAllMatcher 

func ScopesAllMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesAnyMatcher 

func ScopesAnyMatcher(scopesKey string, claims map[string]interface{}, requiredScopes []string) bool

func ScopesDefaultMatcher 

func ScopesDefaultMatcher(_ string, _ map[string]interface{}, _ []string) bool

func SignFields 

func SignFields(keys []string, signer Signer, response *proxy.Response) error

func X5TKeyIDGetter 

func X5TKeyIDGetter(key *jose.JSONWebKey) string

X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t

func X5TTokenKeyIDGetter 

func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string

X5TTokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t

Types

type ChainedRejecterFactory 

type ChainedRejecterFactory []RejecterFactory

ChainedRejecterFactory returns rejecters chaining every rejecter contained in tne collection

func (ChainedRejecterFactory) New 

func (c ChainedRejecterFactory) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter

New returns a chainned rejected that evaluates all the rejecters until v is rejected or the chain is finished

type Claims 

type Claims map[string]interface{}

func (Claims) Get 

func (c Claims) Get(name string) (string, bool)

type Dialer 

type Dialer struct {
	// contains filtered or unexported fields
}

func NewDialer 

func NewDialer(cfg SecretProviderConfig, tlsConfig *tls.Config) *Dialer

func (*Dialer) DialContext 

func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error)

func (*Dialer) DialTLSContext 

func (d *Dialer) DialTLSContext(ctx context.Context, network, addr string) (net.Conn, error)

type ExtractorFactory 

type ExtractorFactory func(string) func(r *http.Request) (*jwt.JSONWebToken, error)

type FileKeyCacher 

type FileKeyCacher struct {
	// contains filtered or unexported fields
}

func NewFileKeyCacher 

func NewFileKeyCacher(data []byte, keyIdentifyStrategy string) (*FileKeyCacher, error)

func (*FileKeyCacher) Add 

func (f *FileKeyCacher) Add(keyID string, _ []jose.JSONWebKey) (*jose.JSONWebKey, error)

func (*FileKeyCacher) Get 

func (f *FileKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

type FixedRejecter 

type FixedRejecter bool

FixedRejecter is a rejecter that always returns the same bool response

func (FixedRejecter) Reject 

func (f FixedRejecter) Reject(_ map[string]interface{}) bool

Reject returns f

type JWKClient 

type JWKClient struct {
	*auth0.JWKClient
	// contains filtered or unexported fields
}

func NewJWKClientWithCache 

func NewJWKClientWithCache(options JWKClientOptions, extractor auth0.RequestTokenExtractor, keyCacher auth0.KeyCacher) *JWKClient

NewJWKClientWithCache creates a new JWKClient instance from the provided options and custom extractor and keycacher. Passing nil to keyCacher will create a persistent key cacher. the extractor is also saved in the extended JWKClient.

func SecretProvider 

func SecretProvider(cfg SecretProviderConfig, te auth0.RequestTokenExtractor) (*JWKClient, error)

func (*JWKClient) GetSecret 

func (j *JWKClient) GetSecret(r *http.Request) (interface{}, error)

GetSecret implements the GetSecret method of the SecretProvider interface.

type JWKClientOptions 

type JWKClientOptions struct {
	auth0.JWKClientOptions
	KeyIdentifyStrategy string
}

type KeyCacher 

type KeyCacher interface {
	Get(keyID string) (*jose.JSONWebKey, error)
	Add(keyID string, webKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
}

func NewMemoryKeyCacher 

func NewMemoryKeyCacher(maxKeyAge time.Duration, maxCacheSize int, keyIdentifyStrategy string) KeyCacher

NewMemoryKeyCacher creates a new Keycacher interface with option to set max age of cached keys and max size of the cache.

type KeyIDGetter 

type KeyIDGetter interface {
	Get(*jose.JSONWebKey) string
}

KeyIDGetter extracts a key id from a JSONWebKey

func KeyIDGetterFactory 

func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter

type KeyIDGetterFunc 

type KeyIDGetterFunc func(*jose.JSONWebKey) string

KeyIDGetterFunc function conforming to the KeyIDGetter interface.

func (KeyIDGetterFunc) Get 

func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string

Get calls f(r)

type MemoryKeyCacher 

type MemoryKeyCacher struct {
	// contains filtered or unexported fields
}

func (*MemoryKeyCacher) Add 

func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)

Add adds a key into the cache and handles overflow

func (*MemoryKeyCacher) Get 

func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error)

Get obtains a key from the cache, and checks if the key is expired

type NopRejecterFactory 

type NopRejecterFactory struct{}

NopRejecterFactory is a factory returning rejecters accepting all the tokens

func (NopRejecterFactory) New 

func (NopRejecterFactory) New(_ logging.Logger, _ *config.EndpointConfig) Rejecter

New returns a fixed rejecter that accepts all the tokens

type Rejecter 

type Rejecter interface {
	Reject(map[string]interface{}) bool
}

Rejecter defines the interface for the components responsible for rejecting tokens.

type RejecterFactory 

type RejecterFactory interface {
	New(logging.Logger, *config.EndpointConfig) Rejecter
}

RejecterFactory is a builder for rejecters

type RejecterFactoryFunc 

type RejecterFactoryFunc func(logging.Logger, *config.EndpointConfig) Rejecter

RejecterFactoryFunc is an adapter to use a function as rejecter factory

func (RejecterFactoryFunc) New 

func (f RejecterFactoryFunc) New(l logging.Logger, cfg *config.EndpointConfig) Rejecter

New calls f(l, cfg)

type RejecterFunc 

type RejecterFunc func(map[string]interface{}) bool

RejecterFunc is an adapter to use functions as rejecters

func (RejecterFunc) Reject 

func (r RejecterFunc) Reject(v map[string]interface{}) bool

Reject calls r(v)

type SecretProviderConfig 

type SecretProviderConfig struct {
	URI                 string
	CacheEnabled        bool
	CacheDuration       uint32
	Fingerprints        [][]byte
	Cs                  []uint16
	LocalCA             string
	AllowInsecure       bool
	LocalPath           string
	SecretURL           string
	CipherKey           []byte
	KeyIdentifyStrategy string
}

type SignatureConfig 

type SignatureConfig struct {
	Alg                     string            `json:"alg"`
	URI                     string            `json:"jwk_url"`
	CacheEnabled            bool              `json:"cache,omitempty"`
	CacheDuration           uint32            `json:"cache_duration,omitempty"`
	Issuer                  string            `json:"issuer,omitempty"`
	Audience                []string          `json:"audience,omitempty"`
	Roles                   []string          `json:"roles,omitempty"`
	PropagateClaimsToHeader [][]string        `json:"propagate_claims,omitempty"`
	PropagateIssAsTenantId  []string          `json:"propagate_iss_as_tenant_id,omitempty"`
	RolesKey                string            `json:"roles_key,omitempty"`
	RolesKeyIsNested        bool              `json:"roles_key_is_nested,omitempty"`
	ReqClaimFieldsEquals    map[string]string `json:"req_claim_fields_equals,omitempty"`
	CookieKey               string            `json:"cookie_key,omitempty"`
	CipherSuites            []uint16          `json:"cipher_suites,omitempty"`
	DisableJWKSecurity      bool              `json:"disable_jwk_security"`
	Fingerprints            []string          `json:"jwk_fingerprints,omitempty"`
	LocalCA                 string            `json:"jwk_local_ca,omitempty"`
	LocalPath               string            `json:"jwk_local_path,omitempty"`
	SecretURL               string            `json:"secret_url,omitempty"`
	CipherKey               []byte            `json:"cypher_key,omitempty"`
	Scopes                  []string          `json:"scopes,omitempty"`
	ScopesKey               string            `json:"scopes_key,omitempty"`
	ScopesMatcher           string            `json:"scopes_matcher,omitempty"`
	KeyIdentifyStrategy     string            `json:"key_identify_strategy"`
	OperationDebug          bool              `json:"operation_debug,omitempty"`
}

func GetSignatureConfig 

func GetSignatureConfig(cfg *config.EndpointConfig) (*SignatureConfig, error)

type Signer 

type Signer func(interface{}) (string, error)

type SignerConfig 

type SignerConfig struct {
	Alg                string   `json:"alg"`
	KeyID              string   `json:"kid"`
	URI                string   `json:"jwk_url"`
	FullSerialization  bool     `json:"full,omitempty"`
	KeysToSign         []string `json:"keys_to_sign,omitempty"`
	CipherSuites       []uint16 `json:"cipher_suites,omitempty"`
	DisableJWKSecurity bool     `json:"disable_jwk_security"`
	Fingerprints       []string `json:"jwk_fingerprints,omitempty"`
	LocalCA            string   `json:"jwk_local_ca,omitempty"`
	LocalPath          string   `json:"jwk_local_path,omitempty"`
	SecretURL          string   `json:"secret_url,omitempty"`
	CipherKey          []byte   `json:"cypher_key,omitempty"`
}

type TokenIDGetter 

type TokenIDGetter interface {
	Get(*jwt.JSONWebToken) string
}

TokenIDGetter extracts the keyID from the JSON web token

func TokenIDGetterFactory 

func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter

TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string

type TokenKeyIDGetterFunc 

type TokenKeyIDGetterFunc func(*jwt.JSONWebToken) string

TokenKeyIDGetterFunc function conforming to the TokenIDGetter interface.

func (TokenKeyIDGetterFunc) Get 

func (f TokenKeyIDGetterFunc) Get(token *jwt.JSONWebToken) string

Extract calls f(r)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.